Thank you for responding. The problem I'm actually trying to solve is why the
requests to our NPS are going PAP rather than PEAP. The FR debug issue is part
of that troubleshooting. I'm also realizing that I didn't research the new PF
authentication structure as well as I should have, so I've moved to that rather
than worry too much about the FR oddness.
Yes, the reject does come back from the NPS proxy.
Proxy.conf modifications were just to add a home server, pool and associated
realms (I figured I should use the new structure). I've pasted it at the end of
this email
When I wake the test client up, the machine auth request is processed and
visible in FR debug – here's the top lines:
=======
Listening on proxy address 192.168.250.100 port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.250.1 port 54863, id=40,
length=168
User-Name = "c42c030e3f2f"
NAS-Port = 80
EAP-Message = 0x0200001101633432633033306533663266
Message-Authenticator = 0x4b83332c3f67c720d904aff2ba0e5554
Acct-Session-Id = "8O2.1x811a112f000bc3b9"
NAS-Port-Id = "ge-0/0/9.0"
Calling-Station-Id = "c4-2c-03-0e-3f-2f"
Called-Station-Id = "2c-21-72-a6-bf-00"
NAS-Identifier = "Test-4200"
NAS-Port-Type = Ethernet
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] No '@' in User-Name = "c42c030e3f2f", looking up realm NULL
=======
I'll paste in the tcpdump output, since it's just the two packets between FR
and the NPS box:
===============
[root@packetfence logs]# tcpdump -vvv -s 0 -i any port 1812
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
65535 bytes
09:05:17.872716 IP (tos 0x0, ttl 64, id 42085, offset 0, flags [DF], proto UDP
(17), length 81)
192.168.250.100.42250 > pnap2k801.themastersschool.com.radius: [bad udp
cksum 2bdd!] RADIUS, length: 53
Access Request (1), id: 0xa6, Authenticator: 0177602ba13f2263f949bf33dbb790e9
Username Attribute (1), length: 9, Value: <username>
0x0000: 6d61 6774 6573 74
Password Attribute (2), length: 18, Value:
0x0000: 6889 643b bbba 4b82 5954 0448 a4bf 7330
NAS IP Address Attribute (4), length: 6, Value: 192.168.250.100
0x0000: c0a8 fa64
09:05:17.893936 IP (tos 0x0, ttl 126, id 13047, offset 0, flags [none], proto
UDP (17), length 48)
pnap2k801.themastersschool.com.radius > 192.168.250.100.42250: [udp sum ok]
RADIUS, length: 20
Access Reject (3), id: 0xa6, Authenticator: ddf67c43c6718e0acb40e9e394405a51
================
[root@packetfence raddb]# cat proxy.conf
# -*- text -*-
##
## proxy.conf -- proxy radius and realm configuration directives
##
## $Id$
#######################################################################
#
# Proxy server configuration
#
# This entry controls the servers behaviour towards ALL other servers
# to which it sends proxy requests.
#
proxy server {
default_fallback = no
}
home_server localhost {
type = auth
ipaddr = 127.0.0.1
port = 1812
secret = testing123
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = status-server
# username = "test_user_please_reject_me"
# password = "this is really secret"
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
coa {
# Initial retransmit interval: 1..5
irt = 2
# Maximum Retransmit Timeout: 1..30 (0 == no maximum)
mrt = 16
# Maximum Retransmit Count: 1..20 (0 == retransmit forever)
mrc = 5
# Maximum Retransmit Duration: 5..60
mrd = 30
}
}
home_server pnap2k801 {
type = auth
ipaddr = 10.10.30.8
port = 1812
secret = <sanitized>
# require_message_authenticator = yes
response_window = 20
zombie_period = 40
revive_interval = 120
status_check = none
# username = "test_user_please_reject_me"
# password = "this is really secret"
check_interval = 30
num_answers_to_alive = 3
max_outstanding = 65536
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
home_server_pool masters_pool {
type = fail-over
home_server = pnap2k801
}
realm themastersschool.com {
auth_pool = masters_pool
# nostrip
}
realm MASTERS {
auth_pool = masters_pool
# nostrip
}
realm mastersny.org {
auth_pool = masters_pool
# nostrip
}
#realm NULL {
# pool = masters_pool
#}
realm LOCAL {
# If we do not specify a server pool, the realm is LOCAL, and
# requests are not proxied to it.
}
Enjoy!
Tim
From: Derek Wuelfrath <[email protected]<mailto:[email protected]>>
Reply-To:
<[email protected]<mailto:[email protected]>>
Date: Fri, 24 May 2013 02:54:08 -0400
To:
<[email protected]<mailto:[email protected]>>
Subject: Re: [PacketFence-users] Register/captiveportal and radius debug
You should obviously see something in the FreeRADIUS debug.
Do you see any reply from the NPS box back to the PacketFence/FreeRADIUS box ?
Do you mind sharing a packets capture ?
Can you share the modifications made to the proxy file ?
Cheers!
dw.
--
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and
PacketFence (www.packetfence.org<http://www.packetfence.org/>)
On 2013-05-22, at 5:48 PM, "Palmer, Tim"
<[email protected]<mailto:[email protected]>> wrote:
So, should I not see anything in the radius debug output from the captive
portal/registration page?
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only
SaaS-based application performance monitoring service that delivers powerful
full stack analytics. Optimize and monitor your browser, app, & servers with
just a few lines of code. Try New Relic and get this awesome Nerd Life shirt!
http://p.sf.net/sfu/newrelic_d2d_may_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
